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About  This  Document 


About  This  Document 


This  document  is  Volume  5  of  the  OCTAVES  Implementation  Guide,  a  10-volume  handbook 

supporting  the  OCTAVE-S  methodology.  This  volume  provides  worksheets  to  document 

data  related  to  critical  assets  that  are  categorized  as  information. 

The  volumes  in  this  handbook  are 

•  Volume  1:  Introduction  to  OCTAVES  -  This  volume  provides  a  basic  description  of 
OCTAVE-S  and  advice  on  how  to  use  the  guide. 

•  Volume  2:  Preparation  Guidelines  -  This  volume  contains  background  and  guidance  for 
preparing  to  conduct  an  OCTAVE-S  evaluation. 

•  Volume  3:  Method  Guidelines  -  This  volume  includes  detailed  guidance  for  each 
OCTAVE-S  activity. 

•  Volume  4:  Organizational  Information  Workbook  —  This  volume  provides  worksheets  for 
all  organizational-level  information  gathered  and  analyzed  during  OCTAVE-S. 

•  Volume  5:  Critical  Asset  Workbook  for  Information  -  This  volume  provides  worksheets 
to  document  data  related  to  critical  assets  that  are  categorized  as  information. 

•  Volume  6:  Critical  Asset  Workbook  for  Systems  -  This  volume  provides  worksheets  to 
document  data  related  to  critical  assets  that  are  categorized  as  systems. 

•  Volume  7:  Critical  Asset  Workbook  for  Applications  -  This  volume  provides  worksheets 
to  document  data  related  to  critical  assets  that  are  categorized  as  applications. 

•  Volume  8:  Critical  Asset  Workbook  for  People  -  This  volume  provides  worksheets  to 
document  data  related  to  critical  assets  that  are  categorized  as  people. 

•  Volume  9:  Strategy  and  Plan  Workbook  -  This  volume  provides  worksheets  to  record  the 
current  and  desired  protection  strategy  and  the  risk  mitigation  plans. 

•  Volume  10:  Example  Scenario  -  This  volume  includes  a  detailed  scenario  illustrating  a 
completed  set  of  worksheets. 
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Abstract 


Abstract 


The  Operationally  Critical  Threat,  Asset,  and  Vulnerability  Evaluation®'^  (OCTAVE®) 
approach  defines  a  risk-based  strategic  assessment  and  planning  technique  for  security. 
OCTAVE  is  a  self-directed  approach,  meaning  that  people  from  an  organization  assume 
responsibility  for  setting  the  organization’s  security  strategy.  OCTAVE-S  is  a  variation  of  the 
approach  tailored  to  the  limited  means  and  unique  constraints  typically  found  in  small 
organizations  (less  than  100  people).  OCTAVE-S  is  led  by  a  small,  interdisciplinary  team 
(three  to  five  people)  of  an  organization’s  personnel  who  gather  and  analyze  information, 
producing  a  protection  strategy  and  mitigation  plans  based  on  the  organization’s  unique 
operational  security  risks.  To  conduct  OCTAVE-S  effectively,  the  team  must  have  broad 
knowledge  of  the  organization’s  business  and  security  processes,  so  it  will  be  able  to  conduct 
all  activities  by  itself. 
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Introduction 


1  Introduction 


This  document  contains  the  Operationally  Critical  Threat,  Asset,  and  Vulnerability  Evaluation®'^ 
(C)CTAVE®)-S  worksheets  related  to  critical  assets  that  are  information.  The  activities  related  to 
these  worksheets  are  focused  on  analyzing  a  critical  asset. 

Table  1  provides  a  brief  introduction  to  the  contents  of  this  workbook,  using  step  numbers  as  a 
key.  For  more  details  about  how  to  complete  each  step,  refer  to  the  OCTAVE®-S  Method 
Guidelines,  which  can  be  found  in  Volume  3  of  the  OCTAVEf-S  Implementation  Guide. 


Table  1:  Worksheets  Provided  in  This  Workbook 


Step 

Description 

Worksheet 

Activity 

Pages 

Step  6 

Start  a  Critical  Asset  Information 
worksheet  for  each  critical  asset. 
Record  the  name  of  the  critical 
asset  on  its  Critical  Asset 
Information  worksheet. 

Critical  Asset 
Information 

Phase  1 

Process  S2 

S2.1  Select  Critical  Assets 

5-8 

Step  7 

Record  your  rationale  for 
selecting  each  critical  asset  on 
that  asset’s  Critical  Asset 
Information  worksheet. 

Critical  Asset 
Information 

Phase  1 

Process  S2 

S2.1  Select  Critical  Assets 

5-8 

Step  8 

Record  a  description  for  each 
critical  asset  on  that  asset’s 

Critical  Asset  Selection 
worksheet.  Consider  who  uses 
each  critical  asset  as  well  as  who 
is  responsible  for  it. 

Critical  Asset 
Information 

Phase  1 

Process  S2 

S2.1  Select  Critical  Assets 

5-8 

Step  9 

Record  assets  that  are  related  to 
each  critical  asset  on  that  asset’s 
Critical  Asset  Information 
worksheet.  Refer  to  the  Asset 
Identification  worksheet  to 
determine  which  assets  are  related 
to  each  critical  asset. 

Critical  Asset 
Information 

Phase  1 

Process  S2 

S2.1  Select  Critical  Assets 

5-8 

Operationally  Critical  Threat,  Asset,  and  Vulnerability  Evaluation  is  a  service  mark  of  Carnegie  Mellon 
University. 

®  OCTAVE  is  registered  in  the  United  States  Patent  and  Trademark  Office  by  Carnegie  Mellon 
University. 
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Table  1:  Worksheets  Provided  in  This  Workbook  (cont.) 


Step 

Description 

Worksheet 

Activity 

Pages 

Step  10 

Record  the  security  requirements 
for  each  critical  asset  on  that 
asset’s  Critical  Asset  Information 
worksheet. 

Critical  Asset 
Information 

Phase  1 

Process  S2 

S2.1  Select  Critical  Assets 

5-8 

Step  1 1 

For  each  critical  asset,  record  the 
most  important  security 
requirement  on  that  asset’s 

Critical  Asset  Information 
worksheet. 

Critical  Asset 
Information 

Phase  1 

Process  S2 

S2. 1  Select  Critical  Assets 

5-8 

Step  12 

Complete  all  appropriate  threat 
trees  for  each  critical  asset.  Mark 
each  branch  of  each  tree  for 
which  there  is  a  non-negligible 
possibility  of  a  threat  to  the  asset. 

If  you  have  difficulty  interpreting 
a  threat  on  any  threat  tree,  review 
the  description  and  examples  of 
that  threat  in  the  Threat 

Translation  Guide. 

Risk  Profile 

Threat 

Translation 

Guide 

Phase  1 

Process  S2 

S2.1  Identify  Threats  to 

Critical  Assets 

9-54 

Step  13 

Record  specific  examples  of 
threat  actors  on  the  Risk  Profile 
worksheet  for  each  applicable 
actor-motive  combination. 

Risk  Profile 

Phase  1 

Process  S2 

S2.1  Identify  Threats  to 

Critical  Assets 

9-54 

Step  14 

Record  the  strength  of  the  motive 
for  deliberate  threats  due  to 
human  actors.  Also  record  how 
confident  you  are  in  your  estimate 
of  the  strength  of  the  actor’s 
motive. 

Risk  Profile 

Phase  1 

Process  S2 

S2.1  Identify  Threats  to 

Critical  Assets 

9-54 

Record  how  often  each  threat  has 

occurred  in  the  past.  Also  record 
how  accurate  you  believe  your 
data  are. 

Risk  Profile 

Phase  1 

Process  S2 

S2. 1  Identify  Threats  to 

Critical  Assets 

9-54 

Record  areas  of  concern  for  each 
source  of  threat  where 
appropriate.  An  area  of  concern  is 
a  scenario  defining  how  specific 
threats  could  affect  the  critical 
asset. 

Risk  Profile 

Phase  1 

Process  S2 

S2.1  Identify  Threats  to 
Critical  Assets 

9-54 

2 


CMU/SEI-2003-HB-003  Volume  5 


OCTAVE-S  Vl.O 


Introduction 


Table  1:  Worksheets  Provided  in  This  Workbook  (cont.) 


Step 

Description 

Worksheet 

Activity 

Pages 

Step  17 

Select  the  system  of  interest  for 
each  critical  asset  (i.e.,  the 
system  most  closely  related  to 
the  critical  asset). 

Network 

Access  Paths 

Phase  2 

Process  S3 

S3.1  Examine  Access  Paths 

55-58 

Step  18a 

Review  paths  used  to  access 
each  critical  asset,  and  select  key 
classes  of  components  related  to 
each  critical  asset. 

Determine  which  classes  of 
components  are  part  of  the 
system  of  interest. 

Network 

Access  Paths 

Phase  2 

Process  S3 

S3.1  Examine  Access  Paths 

55-58 

Step  18b 

Determine  which  classes  of 
components  serve  as 
intermediate  access  points  (i.e., 
which  components  are  used  to 
transmit  information  and 
applications  from  the  system  of 
interest  to  people). 

Network 

Access  Paths 

Phase  2 

Process  S3 

S3.1  Examine  Access  Paths 

55-58 

Step  18c 

Determine  which  classes  of 
components,  both  internal  and 
external  to  the  organization’s 
networks,  are  used  by  people 
(e.g.,  users,  attackers)  to  access 
the  system. 

Network 

Access  Paths 

Phase  2 

Process  S3 

S3.1  Examine  Access  Paths 

55-58 

Step  18d 

Determine  where  information 
from  the  system  of  interest  is 
stored  for  backup  purposes. 

Network 

Access  Paths 

Phase  2 

Process  S3 

S3.1  Examine  Access  Paths 

55-58 

Step  18e 

Determine  which  other  systems 
access  information  or 
applications  from  the  system  of 
interest  and  which  other  classes 
of  components  can  be  used  to 
access  critical  information  or 
services  from  the  system  of 
interest. 

Network 

Access  Paths 

Phase  2 

Process  S3 

S3.1  Examine  Access  Paths 

55-58 
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Table  1:  Worksheets  Provided  in  This  Workbook  (cont.) 


Step 

Description 

Worksheet 

Activity 

Pages 

Step  22 

Using  the  impact  evaluation 
criteria  as  a  guide,  assign  an 
impact  value  (high,  medium,  or 
low)  for  each  active  threat  to 
each  critical  asset. 

Risk  Profile 

Impact 

Evaluation 

Criteria 

Phase  3 

Process  S4 

S4. 1  Evaluate  Impacts  of 
Threats 

9-54 

Step  24 

Using  the  probability  evaluation 
criteria  as  a  guide,  assign  a 
probability  value  (high,  medium, 
or  low)  for  each  active  threat  to 
each  critical  asset.  Document 
your  confidence  level  in  your 
probability  estimate. 

Risk  Profile 

Probability 

Evaluation 

Criteria 

Phase  3 

Process  S4 

S4.3  Evaluate  Probabilities  of 
Threats 

9-54 

Step  26 

Transfer  the  stoplight  status  for 
each  security  practice  area  from 
the  Security  Practices  worksheet 
to  the  “Security  Practice  Areas” 
section  (Step  26)  of  each  critical 
asset’s  Risk  Profile  worksheet. 

Risk  Profile 

Security 

Practices 

Phase  3 

Process  S5 

S5.2  Select  Mitigation 
Approaches 

9-54 

Step  27 

Select  a  mitigation  approach 
(mitigate,  defer,  accept)  for  each 
active  risk. 

For  each  risk  that  you  decided  to 
mitigate,  circle  one  or  more 
security  practice  areas  for  which 
you  intend  to  implement 
mitigation  activities. 

Risk  Profile 

Phase  3 

Process  S5 

S5.2  Select  Mitigation 
Approaches 

9-54 
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2  Critical  Asset  Information  Worksheet  for 
Information 


Phase  1 
Process  S2 


Step  6 

Start  a  Critical  Asset  Information  worksheet  for  each  critical  asset.  Record  the  name  of  the 
critical  asset  on  its  Critical  Asset  Information  worksheet. 

Step? 

Record  your  rationale  for  selecting  each  critical  asset  on  that  asset’s  Critical  Asset 

Information  worksheet. 

steps 

Record  a  description  for  each  critical  asset  on  that  asset’s  Critical  Asset  Selection  worksheet. 
Consider  who  uses  each  critical  asset  as  well  as  who  is  responsible  for  it. 

Step  9 

Record  assets  that  are  related  to  each  critical  asset  on  that  asset’s  Critical  Asset  Information 
worksheet.  Refer  to  the  Asset  Identification  worksheet  to  determine  which  assets  are  related 
to  each  critical  asset. 

Phase  1 

Pnieess  S2 

Activity  S2.2 

Step  10 

Record  the  security  requirements  for  each  critical  asset  on  that  asset’s  Critical  Asset 
Information  worksheet. 

Step  11 


For  each  critical  asset,  record  the  most  important  security  requirement  on  that  asset’s 
Critical  Asset  Information  worksheet. 
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Critical  Asset 


What  is  the  critical  information? 


Rationale  for  Selection 


Why  is  this  information  critical  to  the  organization? 


su|)  y 


Related  Assets 


Which  assets  are  related  to  this  information? 


Systems:  Applications: 


Other: 
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Critical  Asset  Information  Worksheet 


Step  1 


Description 


;  Who  uses  the  information? 


Who  is  responsible  for  the  information? 


Security  Requirements 


What  are  the  security  requirements  for  this  information?  Which  security  requirement 

is  most  important  for  this 

(Hint:  Focus  on  what  the  security  requirements  should  be  for  this  information,  not  what  they  currently  are.)  information? 


Most  Important  Security 
Requirement 


□  Confidentiality  Only  authorized  personnel  can  view 


□  Integrity 


□  Availability 


□  Other 


Only  authorized  personnel  can  modify 


.  must  be  available  for  personnel  to  perform  their  jobs. 


Unavailability  cannot  exceed _ hour(s)  per  every _ hours. 


□  Confidentiality 


□  Integrity 


□  Availability 


□  Other 
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Risk  Profile  Worksheet  for  Information:  Network  Access 


3  Risk  Profile  Worksheet  for  Information  - 
Human  Actors  Using  Network  Access 


' 

Step  12 

Complete  the  threat  tree  for  human  actors  using  network  access.  Mark  each  branch  of  each 
tree  for  which  there  is  a  non-negligible  possibility  of  a  threat  to  the  asset. 

If  you  have  difficulty  interpreting  a  threat  on  the  threat  tree,  review  the  description  and 
examples  of  that  threat  in  the  Threat  Translation  Guide  (see  pp.  60-63  of  this  workbook). 

Step  13 

Record  specific  examples  of  threat  actors  on  the  Risk  Profile  worksheet  for  each  applicable 
actor-motive  combination. 

Step  14 

Record  the  strength  of  the  motive  for  deliberate  threats  due  to  human  actors.  Also  record 
how  confident  you  are  in  your  estimate  of  the  strength  of  the  actor’s  motive. 

Step  15 

Record  how  often  each  threat  has  occurred  in  the  past.  Also  record  how  accurate  you  believe 
your  data  are. 

Step  16 

Record  areas  of  concern  for  each  source  of  threat  where  appropriate.  An  area  of  concern  is  a 
scenario  defining  how  specific  threats  could  affect  the  critical  asset. 

continued 
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Pliase  3 

Pnices.s  S4 

.Activity  S4.1 

Step  22 

Using  the  impact  evaluation  criteria  as  a  guide,  assign  an  impact  value  (high,  medium,  or 
low)  to  each  active  threat. 

Step  24 

Using  the  probability  evaluation  criteria  as  a  guide,  assign  a  probability  value  (high, 
medium,  or  low)  to  each  active  threat.  Document  your  confidence  level  in  your  probability 
estimate. 

Phase  3 

Process  S5 

Activity  S5.2 

Step  26 

Transfer  the  stoplight  status  for  each  security  practice  area  from  the  Security  Practices 
worksheet  to  the  “Security  Practice  Areas”  section  (Step  26)  of  the  following  worksheet. 

Step  27 


Select  a  mitigation  approach  (mitigate,  defer,  accept)  for  each  active  risk. 

For  each  risk  that  you  decided  to  mitigate,  circle  one  or  more  security  practice  areas  for 
which  you  intend  to  implement  mitigation  activities. 


10 
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I  Human  Actors  Using  Network  Access  | 


Basic  Risk  Proflie 


S(e|)  12 


Threat 


For  which  branches  is  there  a  non-negligible  possibility  of  a  threat  to 
the  asset?  Mark  these  branches  on  the  tree. 

For  which  of  the  remaining  branches  is  there  a  negligible  possibility  or 
no  possibility  of  a  threat  to  the  asset?  Do  not  mark  these  branches. 


Impact  Values 

What  is  the  potential  impact  on  the 
organization  in  each  applicable  area? 


Asset 


Access 


Actor 


Motive 


Outcome 


s 

*3 

1 

s. 

•S 

e 

s 

w 

9 

•s 

i 

I* 

1 

£ 

£ 

es 

CO 

12 
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Basic  Risk  Profile 


Step  24 


Probability 

How  likely  is  the  threat  to 
occur  in  the  future?  How 
confident  are  you  in  your 
estimate? 


Human  Actors  Using  Network  Access 


Step  26 


Security  Practice  Areas 

What  is  the  stoplight  status  for  each  security  practice  area? 


Approach 

What  is  your 
approach  for 
addressing 
each  risk? 


Value  Confidence 


Strategic 


Operational 


£  5 

^  I  < 

^  i  -s 

^  ^  i. 


c 

PC 

B 

Ofi 

s 

D£ 

C 

1 

fi 

u 

B 

2 

H 

2 

S 

on 

s 

.Si 

£ 

CA 

9t 

£ 

a 

< 

Vi 

s 

'S 

§ 

£ 

cS 

CA 

CO 

c» 

u 

u 

ft* 
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Risk  Profile  Worksheet  for  Information:  Physical  Access 


4  Risk  Profile  Worksheet  for  Information  - 
Human  Actors  Using  Physical  Access 


Step  12 

Complete  the  threat  tree  for  human  actors  using  physical  access.  Mark  each  branch  of  each 
tree  for  which  there  is  a  non-negligible  possibility  of  a  threat  to  the  asset. 

If  you  have  difficulty  interpreting  a  threat  on  the  threat  tree,  review  the  description  and 
examples  of  that  threat  in  the  Threat  Translation  Guide  (see  pp.  64-67  of  this  workbook). 

> 

Step  13 

Record  specific  examples  of  threat  actors  on  the  Risk  Profile  worksheet  for  each  applicable 
actor-motive  combination. 

Step  14 

Record  the  strength  of  the  motive  for  deliberate  threats  due  to  human  actors.  Also  record 
how  confident  you  are  in  your  estimate  of  the  strength  of  the  actor’s  motive. 

Step  15 

Record  how  often  each  threat  has  occurred  in  the  past.  Also  record  how  accurate  you  believe 
your  data  are. 

Step  16 

Record  areas  of  concern  for  each  source  of  threat  where  appropriate.  An  area  of  concern  is  a 
scenario  defining  how  specific  threats  could  affect  the  critical  asset. 

continued 
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OCTAVE-SVl.O 


Phase  3 

Process  S4 

Activity  S4.1 

St6p  22 

Using  the  impact  evaluation  criteria  as  a  guide,  assign  an  impact  value  (high,  medium,  or 
low)  to  each  active  threat. 

Pliase  3 

Process  S4 

.Activity  S4.3 

Step  24 

Using  the  probability  evaluation  criteria  as  a  guide,  assign  a  probability  value  (high, 
medium,  or  low)  to  each  active  threat.  Document  your  confidence  level  in  your  probability 
estimate. 

Phase  3 

lh*ocess  S5 

Activity  S5.2 

Step  26 

Transfer  the  stoplight  status  for  each  security  practice  area  from  the  Security  Practices 
worksheet  to  the  “Security  Practice  Areas”  section  (Step  26)  of  the  following  worksheet. 

Step  27 


Select  a  mitigation  approach  (mitigate,  defer,  accept)  for  each  active  risk. 

For  each  risk  that  you  decided  to  mitigate,  circle  one  or  more  security  practice  areas  for 
which  you  intend  to  implement  mitigation  activities. 
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I  Human  Actors  Using  Physical  Access  | 


Slop  12 


Threat 

For  which  branches  is  there  a  non-negligible  possibility  of  a  threat  to 
the  asset?  Mark  these  branches  on  the  tree. 

For  which  of  the  remaining  branches  is  there  a  negligible  possibility  or 
no  possibility  of  a  threat  to  the  asset?  Do  not  mark  these  branches. 


Asset 


Access 


Actor 


Motive 


Outcome 


disclosure 


accidental 


modification 
loss,  destruction 
interruption 


disclosure 


deliberate 


modification 
loss,  destruction 
j  interruption 


disclosure 


accidental 


outside 


disclosure 


deliberate 


Basic  Risk  Proflle 


Impact  Values 

What  is  the  potential  impact  on  the 
organization  in  each  applicable  area  ? 


modification 
loss,  destruction 
interruption 


modification 
loss,  destruction 
interruption 
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Basic  Risk  Profile 


Human  Actors  Using  Physical  Access 


Probability 

How  likely  is  the  threat  to 
occur  in  the  future?  How 
confident  are  you  in  your 
estimate? 

Value  Confidence 


Security  Practice  Areas 

What  is  the  stoplight  status  for  each  security  practice  area? 


Strategic 


Operational 


Approach 

What  is  your 
approach  for 
addressing 
each  risk? 


I  I  I 

I  1 1 - 1 - 1 

I  1 1 — -I- — I 


*  1 
4  w> 


CA  CA  CA 


«  I 


I 


*P«!g*5Wie« 


S'  s 

I  2  s 

a  a  a 


□  a  □ 


□  a  a 


□  a  a 


I  1 1 — I — I 


I  I  I - 1 - 1 


I  I  I- - 1 - 1 

I  I  I - 1 - 1 


□  a  □ 


□  a  a 


□  a  a 


□  □  □ 


□  □  □ 


□  □  □ 


□  □  a 


□  □  □ 


□  □  □ 


□  □  □ 


a  a  a 


□  a  a 
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Insiders  Using  Physical  Access 

Give  examples  of  how 
insiders  acting  accidentally 
could  use  physical  access  to 
threaten  this  information. 

Give  examples  of  how 
insiders  acting  deliberately 
could  use  physical  access  to 
threaten  this  information. 

L.  ■  - - - - — - 

Outsiders  Using  Physical  Access 

Give  examples  of  how 
outsiders  acting  accidentally 
could  use  physical  access  to 
threaten  this  information. 


Give  examples  of  how 
outsiders  acting  deliberately 
could  use  physical  access  to 
threaten  this  information. 


Risk  Profile  Worksheet  for  Information;  Physical  Access 


Areas  of  Concern 
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Risk  Profile  Worksheet  for  Information:  System  Problems 


5  Risk  Profile  Worksheet  for  Information  - 
System  Problems 


Step  12 

Complete  the  threat  tree  for  system  problems.  Mark  each  branch  of  each  tree  for  which  there 
is  a  non-negligible  possibility  of  a  threat  to  the  asset. 

If  you  have  difficulty  interpreting  a  threat  on  the  threat  tree,  review  the  description  and 
examples  of  that  threat  in  the  Threat  Translation  Guide  (see  pp.  68-7 1  of  this  workbook). 

Step  15 


Record  how  often  each  threat  has  occurred  in  the  past.  Also  record  how  accurate  you  believe 
your  data  are. 


Step  16 


Record  areas  of  concern  for  each  source  of  threat  where  appropriate.  An  area  of  concern 
scenario  defining  how  specific  threats  could  affect  the  critical  asset. 


is  a 
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Phase  3 

Process  S4 

Activity  S4.1 

Step  22 

Using  the  impact  evaluation  criteria  as  a  guide,  assign  an  impact  value  (high,  medium,  or 
low)  to  each  active  threat. 

Phase  3 

I^rocess  S4 

Activity  S4.3 

Step  24 

Using  the  probability  evaluation  criteria  as  a  guide,  assign  a  probability  value  (high, 
medium,  or  low)  to  each  active  threat.  Document  your  confidence  level  in  your  probability 
estimate. 

Phase  3 

Process  S5 

\clivil>  vS5.2 

Step  26 

Transfer  the  stoplight  status  for  each  security  practice  area  from  the  Security  Practices 
worksheet  to  the  “Security  Practice  Areas”  section  (Step  26)  of  the  following  worksheet. 

Step  27 

Select  a  mitigation  approach  (mitigate,  defer,  accept)  for  each  active  risk. 

For  each  risk  that  you  decided  to  mitigate,  circle  one  or  more  security  practice  areas  for 
which  you  intend  to  implement  mitigation  activities. 
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Step  12 


Threat 

For  which  branches  is  there  a  non-negligible  possibility  of  a  threat  to 
the  asset?  Mark  these  branches  on  the  tree. 

For  which  of  the  remaining  branches  is  there  a  negligible  possibility  or 
no  possibility  of  a  threat  to  the  asset?  Do  not  mark  these  branches. 

Aeept  Actor  Outcome 


software  defects 


system  crashes 


hardware  defects 


disclosure 


loss,  destruction 


interruption 


disclosure 


loss,  destruction 


interruption 


disclosure 


(virus,  worm,  Trojan 
horse,  back  door) 


Impact  Values 

What  is  the  potential  impact  on  the 
organization  in  each  applicable  area? 


modification 


modification 


modification 


loss,  destruction 


interruption 


. 

-  -  -  -  , 

1  loss,  destruction 

t 

1  interruption 

disclosure 

- 

malicious  code  i  modification 

Risk  Profile  Worksheet  for  Information:  System  Problems 


Basic  Risk  Profile 


System  Problems 
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malicious  code 


(virus,  worm,  Trojan 
horse,  back  door) 
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Sti*j)  16 


System  Problems 


Software  Defects _ 

Give  examples  of  how 
software  defects  could 
threaten  this  information. 


System  Crashes _ _ 

Give  examples  of  how  system 
crashes  could  threaten  this 
information. 


Hardware  Defects 

Give  examples  of  how 
hardware  defects  could 
threaten  this  information. 


Malicious  Code _ 

Give  examples  of  how 
malicious  code  could  threaten 
this  information.  (Consider 
viruses,  worms,  Trojan 
horses,  back  doors,  others) 
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Risk  Profile  Worksheet  for  Information:  Other 


6  Risk  Profile  Worksheet  for  Information  - 
Other  Problems 


Step  12 

Complete  the  threat  tree  for  other  problems,  Mark  each  branch  of  each  tree  for  which  there 
is  a  non-negligible  possibility  of  a  threat  to  the  asset. 

If  you  have  difficulty  interpreting  a  threat  on  the  threat  tree,  review  the  description  and 
examples  of  that  threat  in  the  Threat  Translation  Guide  (see  pp.  72-77  of  this  workbook). 

Step  15 


Record  how  often  each  threat  has  occurred  in  the  past.  Also  record  how  accurate  you  believe 
your  data  are. 


Step  16 


Record  areas  of  concern  for  each  source  of  threat  where  appropriate.  An  area  of  concern  is  a 
scenario  defining  how  specific  threats  could  affect  the  critical  asset. 
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Step  22 

Using  the  impact  evaluation  criteria  as  a  guide,  assign  an  impact  value  (high,  medium,  or 
low)  to  each  active  threat. 

Step  24 

Using  the  probability  evaluation  criteria  as  a  guide,  assign  a  probability  value  (high, 
medium,  or  low)  to  each  active  threat.  Document  your  confidence  level  in  your  probability 
estimate. 

Plulsu  3 

Process  S5 

Activity  S5.2 

Step  26 

Transfer  the  stoplight  status  for  each  security  practice  area  from  the  Security  Practices 
worksheet  to  the  “Security  Practice  Areas”  section  (Step  26)  of  the  following  worksheet. 

• 

step  27 

Select  a  mitigation  approach  (mitigate,  defer,  accept)  for  each  active  risk. 

For  each  risk  that  you  decided  to  mitigate,  circle  one  or  more  security  practice  areas  for 
which  you  intend  to  implement  mitigation  activities. 
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I  Other  Problems 


Slop  12 


Threat 

For  which  branches  is  there  a  non-negligible  possibility  of  a  threat  to 
the  asset?  Mark  these  branches  on  the  tree. 

For  which  of  the  remaining  branches  is  there  a  negligible  possibility  or 
no  possibility  of  a  threat  to  the  asset?  Do  not  mark  these  branches. 


Basic  Risk  Profile 


22 


Impact  Values 

What  is  the  potential  impact  on  the 
organization  in  each  applicable  area? 


Asset 


Actor 


Outcome 


Reputation 

Financial 

Productivity 

Fines 

Safety 

Other 

disclosure 

^^1  L_ 

r -  - 

power  supply 

modification 

1  1 

1  1  1 

1  problems 

loss,  destruction 

1 

interruption 

1 

1  l'T~ 

disclosure 

1  1  1“ 

1 

;  telecommunications 

modification 

1 

1  1  1 

1  problems  or 
i  unavailability 

- 

loss,  destruction 

~T~  1  1  T~ 

interruption  | 

1  1  1 

disclosure 

1  1  1  1  1 

;  third-party  problems 

modification  | 

1  nz 

\  or  unavailability  of 

I  third-party  systems 

loss,  destruction 

r~ 

1  1  1 

interruption 

1  111^ 

disclosure 

1 1 1 1 1 

i  natural  disasters 

r 

i  modification 

~r“ 

MIL' 

(e.g.,  flood,  fire, 
tornado) 

I  loss,  destruction 

1 

1  1  1  TZ 

1  interruption 

1  ■ 

1  1  1  T~ 
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Basic  Risk  Profile 


Step  24 


Probability 

How  likely  is  the  threat  to 
occur  in  the  future?  How 
confident  are  you  in  your 
estimate? 


Value  Confidence 


Step  26 


Security  Practice  Areas 

What  is  the  stoplight  status  for  each  security  practice  area? 


Other  Problems 


Approach 

What  is  your 
approach  for 
addressing 
each  risk? 


Strategic 


Operational 
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Other  Problems 


Threat  Context 


Step  15 


[ 

History 

How  often  has  this  threat 
occurred  in  the  past? 

How  accurate 
are  the  data? 

1 

1 

5 

< 

o 

> 

disclosure 

times  in 

_  years 

a 

a 

□  1 

power  supply  | 

modification 

times  in 

_  years 

□ 

□ 

a  1 

•  problems 

loss,  destruction 

times  in 

. . — 

_  years 

□ 

L-,  , 

□ 

□  1 

1  1 
1  1 

interruption 

times  in _ 

__  years 

a 

a 

a  1 

disclosure 

times  in 

__  years 

□ 

□ 

a  1 

1  telecommunications  I 

modification  | 

times  in _ _ 

__  years 

a 

□ 

a  1 

;  problems  or  | 

J.  unavailability  I 

1  i 

loss,  destruction 

times  in  

__  years 

□ 

□ 

a  1 

interruption 
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□  1 
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_  years 

!□ 

□ 

□  1 

j  third-party  problems 

modification 

times  in 
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1 

L2_ 

□ 

a  1 

1  or  unavailability  of 
i  third-party  systems 

loss,  destruction 

times  in 

_ years 

rs" 

a 

□  1 

interruption 

times  in 

_ years 

L5_ 

□ 

□  1 

disclosure 

times  in 

_ years 

1  ^ 

□ 

□  1 

j  natural  disasters 

modification 

times  in 

_ years 

[51 

a 

□  1 

(e.g.»  flood,  fire, 
tornado) 

loss,  destruction 

times  in 

_ years 

[H 

□ 

a  1 

interruption 

times  in _ 

_ years 

[i 

□ 

□  1 
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Threat  Context 


Other  Problems 


^ _ _ _  Notes  _ 

What  additional  notes  about  each  threat  do  you  want  to  record? 

_ Z] 
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I  Other  Problems  (cont.) 


Sk‘p  12 


Threat 

For  which  branches  is  there  a  non-negligible  possibility  of  a  threat  to 
the  asset?  Mark  these  branches  on  the  tree. 

For  which  of  the  remaining  branches  is  there  a  negligible  possibility  or 
no  possibility  of  a  threat  to  the  asset?  Do  not  mark  these  branches. 


Basic  Risk  Profile 


Step  22 


Impact  Values 

What  is  the  potential  impact  on  the 
organization  in  each  applicable  area? 


Asset  Actor  Outcome 


disclosure 

"T" 

T" 

T" 

■n 

1 

j. - 

physical  configuration  ;  modification 

1 

J_ 

1 

_LJ 

1 

or  arrangement  of  :  ,  ,  ^  I 

buildings,  offices,  or 

1 

T 

J_ 

j_j 

1 

equipment  |  p- 

;  interruption  | 

1 

1 

_L 

j_j 

disclosure  I 

“t: 

1 

J_ 

□z: 

i  r - 

j  ;  modification 

1 

j  j  loss,  destruction 

1 

1 

1 

1  1 

!  1  interruption 

1 

J_ 

J_ 

j_ 

1  disclosure 

“T 

T 

T" 

.  J. - 

1  i  modification 

_L 

_L 

_L 

1 

1 -  1 

!  j  loss,  destruction 

1 

J_ 

1 

1 

1 

i  j  interruption  P 

L 

J_ 

_L 

1 

LJ 

I  disclosure  1  1  1  1  1 

;  r —  -  ““ 

;  1  modification 

1 

_L 

1 

1 

1  1 

j  loss,  destruction 

1 

1 

1 

1 

LJ 

j  interruption 

_J_ 

J_ 

J_ 

1 

LJ 
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Basic  Risk  Profile 


Other  Problems  (cont.) 


Approach 

What  is  your 
approach  for 
addressing 
each  risk? 
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Threat  Context  I  Other  Problems  (cont) 


_ Notes _ 

What  additional  notes  about  each  threat  do  you  want  to  record? 
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Areas  of  Concern 


Physical  Configuration  Problems 
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OCTAVE-S  Vl.O 


Network  Access  Paths  Worksheet 


7  Network  Access  Paths  Worksheet 


Step  17  Select  the  system  of  interest  for  each  critical  asset  (i.e.,  the  system  most  closely  related  to  the 
critical  asset). 


Review  paths  used  to  access  each  critical  asset,  and  select  key  classes  of  components  related 
to  each  critical  asset. 

Determine  which  classes  of  components  are  part  of  the  system  of  interest. 


Determine  which  classes  of  components  serve  as  intermediate  access  points  (i.e.,  which 
components  are  used  to  transmit  information  and  applications  from  the  system  of  interest  to 
people). 


Step  18c  Determine  which  classes  of  components,  both  internal  and  external  to  the  organization’s 
networks,  are  used  by  people  (e.g.,  users,  attackers)  to  access  the  system. 


Step  18d  Determine  where  information  from  the  system  of  interest  is  stored  for  backup  purposes. 


Step  18e  Determine  which  other  systems  access  information  or  applications  from  the  system  of 

interest  and  which  other  classes  of  components  can  be  used  to  access  critical  information  or 
_  services  from  the  system  of  interest. 
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Step  17 


System  of  Interest 

What  system  or  systems  are  most  closely  related  to  the  critical  asset? 


Access  Points 


System  of 
Interest 


Step  ISa 


System  of  Interest 

Which  of  the  following  classes  of 
components  are  part  of  the  system 
of  interest? 


□  Servers 

□  Internal  Networks 

□  On-Site  Workstations 

□  Others  (list) 


Intermediate 
Access  Points 


Step  ISb 


Intermediate  Access  Points 

Which  of  the  following  classes  of 
components  are  used  to  transmit 
information  and  applications  from 
the  system  of  interest  to  people? 

Which  classes  of  components  could 
serve  as  intermediate  access 
points?  _ 

□  Internal  Networks 

□  External  Networks 

□  Others  (list) 


Network  Access  Paths  Worksheet 


Note:  When  you  select  a  key  class  of  components,  make  sure  that  you 
also  document  any  relevant  subclasses  or  specific  examples  when 
appropriate. 
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8  Threat  Translation  Guide 


Threat 

Transla 

Guide 


The  Threat  Translation  Guide  describes  each  branch  of  an  asset-based  threat  tree.  If  you 
have  difficulty  understanding  the  types  of  threats  represented  by  a  branch,  you  can  use  this 

guide  to  decipher  the  meaning  of  that  branch. 

You  will  find  asset-based  threat  trees  for  the  following  sources  of  threat: 

Source  of  Threat 

Page 

Human  actors  using  network  access 

60-63 

Human  actors  using  physical  access 

64-67 

System  problems 

68-71 

Other  problems 

72-77 
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Human  Actors  Using  Network  Access  |  _ 

Asset  Access  Actor  Motive  Outcome 


disclosure 


accidental  ; 

modification 

1 -  -  — j 

i 

i 

i 

t 

j 

j 

loss,  destruction 

i 

i 

1 

inside  1 

interruption 

! - ! 

1  1 

•  • 

!  ! 

1  1 

!  i 

!  I 

disclosure 

j  j 

1  j  deliberate 

modification 

j 

j 

i 

network  ; 

loss,  destruction 

interruption 
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Description  _ _ Example _ _ _ 

A  staff  member  without  malicious  intent  who  has  legitimate  Incorrect  file  permissions  enable  a  staff  member  to 
access  to  the  computing  infrastructure  accidentally  views  accidentally  access  a  restricted  personnel  database, 
confidential  information  on  an  important  system. 

A  staff  member  without  malicious  intent  who  has  legitimate  A  staff  member  accidentally  enters  incorrect  financial  data 

access  to  the  computing  infrastructure  accidentally  modifies  into  a  customer  database, 

information  on  an  important  system.  _ 

A  staff  member  without  malicious  intent  who  has  legitimate  A  staff  member  deletes  an  important  customer  file  by 
access  to  the  computing  infrastructure  accidentally  loses  or  mistake. 

destroys  information  on  an  important  system.  _ 


A  staff  member  without  malicious  intent  who  has  legitimate  A  staff  member  who  is  not  computer  savvy  inadvertently 

access  to  the  computing  infrastructure  accidentally  interrupts  crashes  an  important  system, 

access  to  an  important  system. 


A  staff  member  with  malicious  intent  who  has  legitimate  A  staff  member  uses  access  to  a  restricted  personnel 

access  to  the  computing  infrastructure  exploits  that  access  to  database  to  deliberately  view  information  in  that  database 

deliberately  view  confidential  information  on  an  important  that  is  restricted  by  policy. 

system.  _  . _ 

A  staff  member  with  malicious  intent  who  has  legitimate  A  staff  member  responsible  for  data  entry  deliberately 

access  to  the  computing  infrastructure  exploits  that  access  to  enters  incorrect  customer  information  into  a  database, 

deliberately  modify  information  on  an  important  system. 

A  staff  member  with  malicious  intent  who  has  legitimate  A  staff  member  with  access  to  design  documents  for  a  new 

access  to  the  computing  infrastructure  exploits  that  access  to  product  deliberately  deletes  the  files  that  contain  those 

deliberately  lose  or  destroy  information  on  an  important  design  documents. 

system.  _ _ _ 

A  staff  member  with  malicious  intent  who  has  legitimate  A  staff  member  uses  legitimate  access  to  the  computing 

access  to  the  computing  infrastructure  exploits  that  access  to  infrastructure  to  launch  a  denial-of-service  attack  on  an 

deliberately  interrupt  access  to  an  important  system.  important  system. 
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Asset  Access  Actor  Motive 


Outcome 


network 
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;  modification 

j — 

1 

i 

— 1 
j 

i 

t 

1 

j 

j 

j 

J 

j 

1 

j 

j 

i  loss,  destruction 
- - 

1 

j 

outside 

j 

j 

\ 

i 

1 

j 

i 

I  interruption 

j 

j 

i 

i 

j 

1 

j 

i 

1 

j 

1 

1 

disclosure 

[ - 

j 

i 

1 

1 

i  deliberate 

i 

1 

j 

i  modification 

loss,  destruction 


interruption 


CMU/SEI-2003-HB-003  Volume  5 


Threat  Translation  Guide 


Description  _ Example 


An  outsider  without  malicious  intent  gains  access  to  your 
computing  infrastructure  (legitimately  or  by  accident)  and 
views  confidential  data  on  a  system. 

Temporary  employees  are  given  access  to  your  computing 
infrastructure  to  help  with  an  increased  workload.  While 
performing  their  job  duties,  one  of  them  accidentally  views 
confidential  personnel  data. 

- - — - - - — - - — - 

An  outsider  without  malicious  intent  gains  access  to  your 
computing  infrastructure  (legitimately  or  by  accident)  and 
accidentally  modifies  information  on  a  system. 

Temporary  employees  are  given  access  to  your  computing 
infrastructure  to  help  with  an  increased  workload.  While 
performing  their  job  duties,  one  of  them  accidentally 
modifies  important  customer  data. 

An  outsider  without  malicious  intent  gains  access  to  your 
computing  infrastructure  (legitimately  or  by  accident)  and 
loses  or  destroys  information  on  a  system. 

Temporary  employees  are  given  access  to  your  computing 
infrastructure  to  help  with  an  increased  workload.  While 
performing  their  job  duties,  one  of  them  accidentally  loses 
or  destroys  financial  data. 

An  outsider  without  malicious  intent  gains  access  to  your 
computing  infrastructure  (legitimately  or  by  accident)  and 
accidentally  interrupts  access  to  a  system. 

Temporary  employees  are  given  access  to  your  computing 
infrastructure  to  help  with  an  increased  workload.  While 
performing  their  job  duties,  one  of  them  accidentally  crashes 
an  important  system. 

An  attacker  with  malicious  intent  deliberately  exploits 
vulnerabilities  in  the  computing  infrastructure  to  view 
confidential  information. 

A  corporate  spy  exploits  vulnerabilities  in  the  computing 
infrastructure  to  gain  unauthorized  access  to  a  key  business 
system.  The  spy  uses  that  access  to  view  confidential 
customer  information  on  the  system. 

i . . . — - - — — - — 

An  attacker  with  malicious  intent  deliberately  exploits 
vulnerabilities  in  the  computing  infrastructure  to  modify 
information. 

A  corporate  spy  exploits  vulnerabilities  in  the  computing 
infrastructure  to  gain  unauthorized  access  to  a  key  business 
system.  The  spy  uses  that  access  to  modify  financial  data  on 
the  system. 

An  attacker  with  malicious  intent  deliberately  exploits 
vulnerabilities  in  the  computing  infrastructure  to  lose  or 
destroy  information. 

A  corporate  spy  exploits  vulnerabilities  in  the  computing 
infrastructure  to  gain  unauthorized  access  to  a  key  business 
system.  The  spy  uses  that  access  to  lose  or  destroy  a  new 
product  design  on  the  system. 

- - — . . . . 

An  attacker  with  malicious  intent  deliberately  exploits 
vulnerabilities  in  the  computing  infrastructure  to  interrupt 
access  to  a  system. 

A  corporate  spy  exploits  vulnerabilities  in  the  computing 
infrastructure  to  gain  unauthorized  access  to  an  airline’s 
scheduling  system.  The  spy  uses  that  access  to  crash  the 
svstem  and  prevent  real-time  updates. 
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Description  _  Example 


A  staff  member  without  malicious  intent  accidentally  views 
confidential  information  after  gaining  physical  access  to  a 
system,  one  of  its  components,  or  a  physical  copy  of  the 
information. 

A  staff  member  accidentally  sees  confidential  information 
on  (1)  a  colleague’s  computer  screen  or  (2)  a  printout  on  a 
colleague’s  desk. 

- - - - — . . . 

A  staff  member  without  malicious  intent  accidentally 
modifies  information  after  gaining  physical  access  to  a 
system,  one  of  its  components,  or  a  physical  copy  of  the 
information. 

A  staff  member  modifies  information  by  (1)  accidentally 
altering  information  on  a  colleague’s  computer  while  using 
it  for  another  purpose  or  (2)  accidentally  taking  a  page  of  a 
printout  on  a  colleague’ s  desk. 

»  . — . . — - - - 

A  staff  member  without  malicious  intent  accidentally  loses 
or  destroys  information  after  gaining  physical  access  to  a 
system,  one  of  its  components,  or  a  physical  copy  of  the 
information. 

A  staff  member  loses  or  destroys  information  by  (1) 
accidentally  deleting  information  from  a  colleague’s 
computer  while  using  it  or  (2)  shredding  a  paper 
accidentally  taken  from  a  colleague’s  desk. 

A  staff  member  without  malicious  intent  interrupts  access  to 
a  system  or  information  by  accidentally  using  physical 
access  to  a  system,  one  of  its  components,  or  a  physical 
copy  of  the  information  to  prevent  others  from  accessing  the 
system  or  information. 


A  staff  member  interrupts  access  to  a  system  by  (1) 
accidentally  crashing  the  system  while  accessing  it  from  a 
colleague’s  computer  or  (2)  locking  the  keys  inside  an  office 
where  a  physical  file  is  stored. 


A  staff  member  with  malicious  intent  deliberately  views 
confidential  information  by  breeching  physical  security  and 
accessing  components  of  the  computing  infrastructure  or  a 
physical  copy  of  the  information. 


A  staff  member  uses  unauthorized  access  to  a  physically 
restricted  area  of  the  building  to  deliberately  (1)  view 
confidential  information  on  a  computer  or  (2)  read  a 
confidential  memo  lying  on  a  desk. 


A  staff  member  with  malicious  intent  deliberately  modifies 
information  by  breeching  physical  security  and  accessing 
components  of  the  computing  infrastructure  or  a  physical 
copy  of  the  information. 


A  staff  member  uses  unauthorized  access  to  a  physically 
restricted  area  of  the  building  to  deliberately  (1)  modify 
information  on  a  computer  or  (2)  modify  a  physical  file 
lying  on  a  desk.  ______ 


A  staff  member  with  malicious  intent  deliberately  loses  or 
destroys  information  by  breeching  physical  security  and 
accessing  components  of  the  computing  infrastructure  or  a 
physical  copy  of  the  information. 


A  staff  member  uses  unauthorized  access  to  a  physically 
restricted  area  of  the  building  to  deliberately  (1)  delete 
information  on  a  computer  or  (2)  destroy  a  physical  file 
lying  on  a  desk.  _ 


A  staff  member  with  malicious  intent  deliberately  interrupts 
access  to  an  important  system  or  information  by  breeching 
physical  security  to  a  system,  one  of  its  components,  or  a 
physical  copy  of  the  information  and  using  that  physical 
access  to  prevent  others  from  accessing  the  system  or 
information. 


A  staff  member  uses  unauthorized  access  to  a  physically 
restricted  area  of  the  building  to  (1)  gain  access  to  and  then 
deliberately  crash  an  important  business  system  or  (2)  jam 
the  door  and  prevent  others  from  physically  accessing  the 
systems  and  information  located  in  that  area  of  the  building. 
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Access  Actor  Motive  Outcome 
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Description  Example 


An  outsider  without  malicious  intent  gains  physical  access 
to  your  computing  infrastructure  or  a  physical  copy  of 
information  and  uses  that  access  to  view  confidential 
information  accidentally. 

A  consultant  is  given  access  to  a  staff  member’s  office  and 
accidentally  sees  confidential  information  on  (1)  a  staff 
member’s  computer  screen  or  (2)  a  printout  on  a  staff 
member’s  desk. 

An  outsider  without  malicious  intent  gains  physical  access 
to  your  computing  infrastructure  or  a  physical  copy  of 
information  and  uses  that  access  to  modify  information 
accidentally. 

A  consultant  is  given  access  to  the  computer  room  and  (1 ) 
accidentally  makes  the  wrong  change  to  a  configuration  file 
on  a  server  or  (2)  accidentally  records  the  wrong 
information  in  a  maintenance  log. 

An  outsider  without  malicious  intent  gains  physical  access 
to  your  computing  infrastructure  or  a  physical  copy  of 
information  and  uses  that  access  to  lose  or  destroy 
information  accidentally. 

A  consultant  configuring  one  of  your  servers  is  given  access 
to  the  computer  room  and  accidentally  (1)  destroys  an 
important  electronic  file  or  (2)  throws  away  an  important 
piece  of  system  documentation. 

An  outsider  without  malicious  intent  gains  physical  access 
to  your  computing  infrastructure  or  a  physical  copy  of 
information  and  uses  that  access  to  accidentally  prevent 
others  from  accessing  the  information. 

A  consultant  configuring  one  of  your  servers  is  given  access 
to  the  computer  room  and  accidentally  (1)  crashes  a  system 
while  accessing  it  or  (2)  locks  the  keys  to  the  computer 
room  inside  it  after  he  or  she  leaves. 

An  attacker  with  malicious  intent  deliberately  views 
confidential  information  by  breeching  physical  security  and 
accessing  components  of  the  computing  infrastructure  or  a 
physical  copy  of  the  information. 

A  corporate  spy  poses  as  a  member  of  the  cleaning  crew  to 
gain  unauthorized  physical  access  to  a  competitor’s  site  and 
view  confidential  information  either  (1)  on  a  key  business 
system  or  (2)  in  a  physical  file. 

An  attacker  with  ntalicious  intent  deliberately  modifies 
information  by  breeching  physical  security  and  accessing 
components  of  the  computing  infrastructure  or  a  physical 
copy  of  the  information. 

A  corporate  spy  poses  as  a  member  of  the  cleaning  crew  to 
gain  unauthorized  physical  access  to  a  competitor’s  site  and 
modify  financial  information  either  (1)  on  a  key  business 
system  or  (2)  in  a  physical  file. 

An  attacker  with  malicious  intent  deliberately  loses  or 
destroys  information  by  breeching  physical  security  and 
accessing  components  of  the  computing  infrastructure  or  a 
physical  copy  of  the  information. 

A  corporate  spy  poses  as  a  member  of  the  cleaning  crew  to 
gain  unauthorized  physical  access  to  a  competitor’s  site  and 
destroy  customer  information  either  (1)  on  a  key  business 
system  or  (2)  in  a  physical  file. 

An  attacker  with  malicious  intent  deliberately  interrupts 
access  to  an  important  system  or  information  by  breeching 
physical  security  to  a  system,  one  of  its  components,  or  a 
physical  copy  of  the  information  and  by  using  that  physical 
access  to  prevent  others  from  accessing  the  system  or 
information. 

A  corporate  spy  poses  as  a  member  of  the  cleaning  crew  to 
gain  unauthorized  physical  access  to  a  competitor’s  site  and 
(1)  deliberately  crashes  an  important  business  system  or  (2) 
jams  the  door  to  prevent  others  from  physically  accessing 
the  systems  and  information  located  in  an  area  of  the 
building. 
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Asset  Actor  Outcome 


software  defects 


disclosure 


modification 


loss,  destruction 


interruption 


system  crashes 


disclosure 


modification 


loss,  destruction 


interruption 


*  Blank  lines  indicate  unusual  or  extremely  rare  possibilities. 
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Description 

Example* 

A  software  defect  results  in  disclosure  of  information  to 
unauthorized  parties. 

A  defect  in  a  computer’s  operating  system  changes  file 
access  permissions  to  permit  world  read  and  write 
permissions  on  certain  files  and  directories. 

A  software  defect  results  in  modification  of  information  on 
a  system. 


A  custom  software  application  incorrectly  performs 
mathematical  operations  on  data,  affecting  the  integrity  of 
the  results. 


A  software  defect  results  in  the  loss  or  destruction  of 
information  on  a  system. 


A  word  processing  application  is  known  to  crash  computers 
periodically  because  of  a  problem  with  a  specific  command 
sequence,  destroying  any  information  that  was  not  saved. 


A  software  defect  results  in  a  system  crash,  preventing 
access  to  the  system. 


A  system  crashes  for  unknown  reasons  (i.e.,  it  cannot  be 
traced  to  a  software  defect,  hardware  defect,  malicious  code, 
or  actions  by  people),  resulting  in  disclosure  of  information 
to  unauthorized  parties. 


A  word  processing  application  is  known  to  crash  computers 
periodically  because  of  a  problem  with  a  specific  command 
sequence,  preventing  access  to  that  computer. 


A  system  crashes  for  unknown  reasons  (i.e.,  it  cannot  be 
traced  to  a  software  defect,  hardware  defect,  malicious  code, 
or  actions  by  people),  resulting  in  modification  of 
information  on  that  system. 


A  system  crashes  during  a  lengthy  update  of  a  financial 
database,  corrupting  the  information  in  the  database. 


A  system  crashes  for  unknown  reasons  (i.e.,  it  cannot  be 
traced  to  a  software  defect,  hardware  defect,  malicious  code, 
or  actions  by  people),  resulting  in  the  loss  or  destruction  of 
information  on  that  system. 


A  customer  database  system  frequently  crashes,  destroying 
any  information  that  was  not  saved  at  the  time  of  the  crash. 


A  system  crashes  for  unknown  reasons  (i.e.,  it  cannot  be 
traced  to  a  software  defect,  hardware  defect,  malicious  code, 
or  actions  by  people),  resulting  in  interruption  of  access  to 
that  system. 


An  email  server  crashes,  resulting  in  interruption  of  user 
access  to  email. 
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Asset  Actor  Outcome 


hardware  defects 


disclosure 


modification 


loss,  destruction 


interruption 


malicious  code 

(vims,  worm,  Trojan 
horse,  back  door) 
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loss,  destmction 
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*  Blank  lines  indicate  unusual  or  extremely  rare  possibilities. 
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Description  _ Example* 


A  hardware  defect  results  in  disclosure  of  information  to 
unauthorized  parties. 

... 

A  hardware  defect  results  in  modification  of  information  on  a 
system.  | 

A  disk  drive  develops  a  hardware  problem  that  affects  the 
integrity  of  a  database  that  is  stored  on  the  disk. 

A  hardware  defect  results  in  the  loss  or  destruction  of 
information  on  a  system. 

A  disk  drive  develops  a  hardware  problem  that  ends  up 
destroying  the  information  on  the  disk.  Files  can  be 
retrieved  only  from  backups. 

A  hardware  defect  results  in  a  system  crash,  preventing 
access  to  the  system. 

A  disk  drive  develops  a  hardware  problem,  preventing 
access  to  any  information  on  the  disk  until  the  problem  is 
corrected. 

A  system  is  affected  by  malicious  code  (virus,  worm,  Trojan 
horse,  back  door)  that  enables  unauthorized  parties  to  view 
information. 

A  back  door  on  a  system  enables  unauthorized  people  to 
access  the  system  and  view  customer  credit  card 
information  on  that  system. 

A  system  is  affected  by  malicious  code  (virus,  worm,  Trojan 
horse,  back  door)  that  modifies  information  on  that  system. 

A  system  is  infected  with  a  virus  that  modifies  a  process 
control  application  on  the  computer’s  disk  drive. 

A  system  is  affected  by  malicious  code  (virus,  worm,  Trojan 
horse,  back  door)  that  deletes  information  on  that  system. 

A  system  is  infected  with  a  virus  that  deletes  all  information 
on  iht  computer’s  disk  drive. 

A  system  is  affected  by  malicious  code  (virus,  worm,  Trojan 
horse,  back  door)  that  results  in  the  system  crashing. 

A  system  is  infected  with  a  virus  that  is  spread  via  email, 
slowing  network  traffic  and  creating  a  denial-of-services 
attack. 
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Asset  Actor  Outcome 


power  supply 
problems 


disclosure 


modification 


loss,  destruction 


interruption 


] 

disclosure 

telecommunications 

modification 

problems  or 
unavailability 

loss,  destruction 

interruption 

*  Blank  lines  indicate  unusual  or  extremely  rare  possibilities. 
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Description 


Problems  with  the  power  supply  lead  to  disclosure  of 


Example* 


t . . . — - 

. . . — - - - - 

Problems  with  the  power  supply  lead  to  modification  of 
information  on  a  system. 

— 

Problems  with  the  power  supply  lead  to  loss  or  destruction  j  A  power  outage  results  in  loss  of  any  information  that  was 
ofinformationonasystem.  I  not  saved  at  the  time  of  the  outage. 


Problems  with  the  power  supply  lead  to  interruption  of 
access  to  a  system. 


Unavailability  of  telecommunications  services  leads  to 
disclosure  of  information  to  unauthorized  parties. 
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Other  Problems _  | 

Asset  Actor  Outcome 


disclosure 


third-party  problems 

or  unavailability  of 
third-party  systems 


modification 


loss,  destruction 


interruption 


disclosure 

natural  disasters 

modification 

(e.g.,  flood,  fire, 
tornado) 

loss,  destruction 

interruption 

*  Blank  lines  indicate  unusual  or  extremely  rare  possibilities. 
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Description  Example*  _ _ 

Problems  with  services  provided  by  third  parties  (e.g.,  A  staff  member  from  a  third-party  service  provider  views 

maintenance  of  systems)  lead  to  disclosure  of  information  to  confidential  information  on  a  key  business  system  that  is 
unauthorized  parties.  maintained  by  that  service  provider. 


Problems  with  services  provided  by  third  parties  (e.g., 
maintenance  of  systems)  lead  to  modification  of  information 
on  a  system. 


Problems  at  a  third-party  service  provider  lead  to  the 
modification  of  information  on  a  key  business  system 
located  at  that  provider’s  site  and  maintained  by  the 
provider. 


Problems  with  services  provided  by  third  parties  (e.g., 
maintenance  of  systems)  lead  to  loss  or  destruction  of 
information  on  a  system. 


Problems  at  a  third-party  service  provider  lead  to  the 
destruction  of  information  on  a  key  business  system  located 
at  that  provider’s  site  and  maintained  by  the  provider. 


Problems  with  services  provided  by  third  parties  (e.g., 
maintenance  of  systems)  lead  to  interruption  of  access  to  a 
system. 


A  system  maintained  by  a  third-party  service  provider  and 
located  at  the  provider’s  site  is  unavailable  due  to  problems 
created  by  that  provider’s  staff. 


Natural  disasters  (e.g.,  flood,  fire,  tornado)  lead  to 
modification  of  information. 


People  at  the  site  of  a  tornado  see  confidential  memos  that 
are  dispersed  among  the  debris. 


Natural  disasters  (e.g.,  flood,  fire,  tornado)  lead  to  loss  or 
destruction  of  information. 


The  flooding  of  a  basement  area  destroys  paper  records  that 
are  stored  there. 


Natural  disasters  (e.g.,  flood,  fire,  tornado)  lead  to 
interruption  of  access  to  a  system. 


The  flooding  of  a  computer  room  in  the  basement  of  a 
building  prevents  access  to  systems  in  that  room. 


CMU/SEI-2003-HB-003  Volume  5 


75 


OCTAVE-S  Vl.O 


Other  Problems  (cont.)  |  _ 

Asset  Actor  Outcome 


physical  configuration 

or  arrangement  of 
buildings,  offices,  or 
equipment 


disclosure 


modification 


loss,  destruction 


interruption 


disclosure 


modification 


loss,  destruction 


interruption 


*  Blank  lines  indicate  unusual  or  extremely  rare  possibilities. 
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Description 

The  physical  configuration  or  arrangement  of  buildings, 
offices,  or  equipment  leads  to  disclosure  of  information  to 
unauthorized  parties. 


The  physical  configuration  or  arrangement  of  buildings, 
offices,  or  equipment  leads  to  modification  of  information 
on  a  system. 


The  physical  configuration  or  arrangement  of  buildings, 
offices,  or  equipment  leads  to  loss  or  destruction  of 
information  on  a  system. 
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Example* 

The  layout  of  an  office  workspace  enables  anyone  in  the 
area  to  view  customer  credit  card  information  displayed  on 
computer  screens. 
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